ICO Updates International Transfer Guidance: What DUAA Changes Mean for UK Organisations

The ICO has updated its international transfers guidance under the DUAA. Learn what UK organisations must do to stay compliant.

ICO Updates International Transfer Guidance What DUAA Changes Mean for UK Organisations

ICO Updates on International Transfers

The Information Commissioner’s Office (ICO) has updated its guidance on sending personal data outside the UK. This follows changes in the Data (Use and Access) Act (DUAA).

If your organisation uses overseas suppliers, cloud services, or group companies outside the UK, this matters to you. International data transfers are still seen as high risk under UK GDPR, and the ICO has made it clear that organisations must still take responsibility and keep proper records.

In short: the approach is more practical, but the responsibility has not gone away.

Why This Matters Now

Since Brexit, sending personal data overseas has been tricky. Organisations have had to deal with:

  • UK GDPR rules
  • UK adequacy decisions
  • Transfer risk assessments
  • Special contracts like IDTAs

The DUAA is meant to reduce unnecessary paperwork while keeping people’s data safe. The ICO’s updated guidance reflects that.

However, this is not a free pass. You still need to think carefully about risk.

The Biggest Difference: A More Practical Risk Test

The main change is how organisations are expected to judge risk when sending personal data overseas. Before the DUAA, the focus was on whether data protection in another country was “essentially equivalent” to the UK.

In practice, this often led to long, technical risk assessments that were hard to apply and did not always reflect real-world risk.

Under the new guidance, the ICO now asks a simpler question:

Is the level of protection for people’s data not materially lower than it would be in the UK?

This shifts the focus away from theoretical legal comparisons and towards practical outcomes, such as:

  • How the data will actually be used
  • How likely it is to be accessed or misused
  • What real protections are in place
  • What would happen if something went wrong

In short, the biggest difference is this: you no longer have to prove that another country’s laws look just like the UK’s. You do have to show that people’s data is protected in a meaningful, real-world way.

What “Not Materially Lower” Means in Practice

You should look at whether people’s data is protected in a meaningful way in the destination country.

This includes thinking about:

  • What type of personal data is being sent
  • What the overseas organisation will do with it
  • Whether public authorities are likely to access it
  • Whether people could take action if something went wrong

The focus is on real-world risk, not unlikely worst-case scenarios.

What Has Not Changed

Even with the new guidance, the basics stay the same. You must still:

  • Use a valid transfer mechanism
  • Carry out and record a transfer risk assessment where needed
  • Add extra safeguards if risks are identified
  • Keep assessments under review

The ICO has made it clear that poor records or weak risk assessments can still lead to enforcement action.

Accountability Still Matters

The ICO has reinforced that organisations must be able to explain and evidence their decisions. You should be able to show:

  • Why you chose a particular transfer tool
  • How you assessed risk under the new standard
  • What safeguards are in place
  • When you plan to review the assessment

Just signing a contract is not enough if you do not understand the actual risk.

What Organisations Should Do Now

You should review your current international transfers in light of the updated guidance.

Practical steps include:

  • Reviewing existing transfer risk assessments
  • Updating internal templates and guidance
    Checking contracts use the right UK transfer tools
    Making sure staff involved in procurement and data sharing understand the changes
    Keeping a clear record of decisions

Our Support Desk and GDPR Audits help organisations review transfers and update documentation with confidence.

Our View

At Data Protection People, we welcome the ICO’s move towards a more practical approach. The updated guidance should make life easier for organisations without lowering standards.

However, this is not a shortcut. Organisations still carry responsibility for protecting personal data.

If organisations treat this as a box-ticking exercise, they risk falling foul of UK GDPR’s accountability rules.

Done properly, the new guidance helps organisations focus on real risks and real protections.

FAQs

Does the DUAA remove the need for transfer risk assessments?

No. The ICO has not removed the need to assess and document risk when using safeguards like IDTAs or the UK Addendum. What has changed is the test you apply. Instead of checking for “essential equivalence”, you now assess whether protection is “not materially lower” than in the UK. The focus is on real-world risk, not legal theory.

Do existing IDTAs need to be replaced?

No. Existing tools are still valid, but you should review your assessments.

Does this apply to all international transfers?

Yes. Any personal data sent outside the UK must meet UK GDPR requirements.

Contact Us

If your organisation needs help reviewing international data transfers or updating transfer risk assessments, our team can support you.

We provide Data Protection Support, GDPR Audits, and Training to make compliance clear and practical. Contact us today.

Source

Information Commissioner’s Office, “International transfers guidance under UK GDPR”. Available at: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/international-transfers/

Contact Us